Domain: nedbatchelder.com
Stories and comments across the archive that link to nedbatchelder.com.
Comments · 14
-
Re:Sticking it to Starbucks...
be awesome to see funny hexadecimal put in subpoena by the clueless.
-
Re:Is this good news or bad?
> Filtering user input properly would have stopped this though
Yeah but I think a lot of people underestimate the difficulty of "properly".
Even when it comes to simple stuff like escaping angled brackets:
http://cansecwest.com/csw09/csw09-weber.pdf
http://www.securityfocus.com/archive/1/437948/30/0/threadedMore here:
http://nedbatchelder.com/blog/200704/xss_with_utf7.html
http://www.securityfocus.com/bid/31183/discuss
http://ha.ckers.org/blog/20060817/variable-width-encoding/Worse if you need to allow _some_ fancy stuff but not all.
To use a car analogy, browsers nowadays are like cars with 1000+ gas pedals, many placed in strange and unexpected places. But not a single brake pedal.
To stop, you must ensure that NONE of the 1000+ gas pedals are pressed.
If a hacker rides past and manages to press one of those pedals, you crash and burn.
I've been proposing a brake pedal for browsers for years: http://slashdot.org/comments.pl?sid=1384497&cid=29565569
I really don't care what it ends up looking like as long as it works and is easy to use.
What if one day your filters disagree with some of your users browsers in their parsing? All the different browsers and filters might be correct according to different interpretations of the standard(s) - just some ambiguity makes them all right and yet some different.
With my proposal as long as they interpret the brake pedal correctly, they could still be safe (there's no 100%, but hey at least things will be safer).
-
Re:html tag to disable active content
That's all very nice and simple till stuff like UTF8, UTF7, etc get involved...
See:
http://nedbatchelder.com/blog/200704/xss_with_utf7.html
http://www.securityfocus.com/bid/31183/discuss
http://ha.ckers.org/blog/20060817/variable-width-encoding/You don't have to believe me when I tell you there are 1000 (or more) gas pedals and no brake pedal and it's a crazy situation. But that's the truth as I see it.
I daresay many of the website folks who have been burnt before will believe me. Yes you can and SHOULD use the escaping libraries out there, but you'd still be screwed the day some hacker discovers a way to exploit a browser bug or new "feature" or even an ambiguity in standards[1] that causes the browser to see things differently from what the library handles.
My memory isn't so good but I think there was even a case where a browser treated some unicode characters as "" for some reason with exploitable results.
[1] Both the browser and library could be "right" but that's no comfort to your exploited users and you.
-
Re:ridiculous references
I've tried explaining computer technology to my retired relatives..
Me: "Ok, here's your power cable - that plugs into the back of the base unit just like your DVD player. The cable here goes to the screen just like the SCART connctor to the TV. Now this is the keyboard which is just like a typewriter keyboard, and this is the mouse...."
Relative: "What? Where's the mouse? That plastic thing there? It doesn't look much like a mouse to me. Where are it's whiskers, feet and tail?"
Me: "OK, let's call it an input device. You hold it in your hand and move it around like this. When you want to select something, you press or click the button here..."
And you don't even want to try to explain to them why they can't just use the TV remote to type in the letters of the channel they want to watch (e. C..N...N ) rather than having to type in and remember the desired channel number.
Who remembers Operating System lectures where the professor talked about semaphore signals, monitors and deadlock, or scanners
-
hex words...
-
Re:Anyone usinging specialised tests?
For example, remember the image of homer simpson that was generated using text and css. Using that style, generate a question and then add some random css text around it. It would be hard for the bot to seperate the question and the noise and therefore hard to store it in a database. http://nedbatchelder.com/blog/200805/css_homer_animated.html
If nothing else this would encourage coders to conform to web standards. =)
Correct me if I'm missing something, but I think all that is required to reduce this problem to existing CAPTCHAS would be a system that renders these pages to an image, rather than the browser. -
Re:Anyone usinging specialised tests?
Essentially what it comes down to is that any of these question and answer pairs can be saved in a database and reused over and over. Questions and answers can be images or text or whatever but the fact is, once each one is solved it can be saved and valid from then on. One way to make it hard is to hide the question somewhere on the page so a human can easily see it but it would be hard for a bot to find it and archive it. That way it's harder for them to store the question in their database. For example, remember the image of homer simpson that was generated using text and css. Using that style, generate a question and then add some random css text around it. It would be hard for the bot to seperate the question and the noise and therefore hard to store it in a database. http://nedbatchelder.com/blog/200805/css_homer_animated.html
-
Re:Creator of WHAT?!
You can now draw Homer Simpson with CSS and Javascript
http://nedbatchelder.com/blog/200805/css_homer_animated.html -
Re:Seen this long ago for Mac OS X
Watch him grow a character at a time:
http://nedbatchelder.com/blog/200805/css_homer_animated.html
(apparently the site is down, someone must have already linked it from somewhere that drives traffic) -
Re:Some great examples of mathematical art
-
Re:Some great examples of mathematical art
-
Re:https and login - Try using relative URLshttp://www.nedbatchelder.com/blog/200710.html#e20071017T215538
From the article: If this reference appears in an HTTPS page, the mixed content warning will appear. How to craft a reference that works for both? The answer is again relative URLs, but using a more obscure syntax:<img src='//fast.cdn.net/pix/smiley.jpg'
/> -
Re:windows cvs
Can't tell if you're trolling, but this being a Subversion story and all, try googling it.
You could even try reading the fine Subversion red manual. Note that, for a simple setup using the file based repository (FSFS), you don't need any fancy-dan Apache or BDB, just subversion itself. -
Re:I'm going to try something a little dangerous..
In the end, the RIAA is still a business and has a right to make money.
No business has a right to make money. It's like the pursuit of happiness -- you don't have a right to happiness, you have the right to seek it out.
In the same vein, businesses have the right to attempt to make a buck; they don't have a right to be profitable. If the RIAA/MPAA/TLAA can't embrace the new technology then that's their problem, and they should die like the buggy whip manufacturers.
Or as Heinlein much more aptly put it,
There has grown up in the minds of certain groups in this country the notion that because a man or corporation has made a profit out of the public for a number of years, the government and the courts are charged with the duty of guaranteeing such profit in the future, even in the face of changing circumstances and contrary public interest. This strange doctrine is not supported by statute nor common law. Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped or turned back, for their private benefit.
(I had to google for this. Here it is (scroll down to "What Inspired Heinlein?"))